This page contains mostly technical and historical information about both
CSS (the "encryption") and DeCSS (the decryption tool).

CSS and the CSS license

CSS ("Content Scrambling System") is an encryption system that most commercial
DVDs use, and all DVD players need to understand. It's alleged purpose is to
stop piracy, however it also enforces region coding, non-skippable FBI warnings
or commercials and many other artificial restrictions.
Links to a cryptoanalysis of CSS can be found below, but CSS also consists of
one other element: The CSS license. CSS is still being treated as a secret,
even though it's dirty secrets have been available to the general public since
November 1999. So in order to incorporate CSS into a player or other device, a
company has to sign the CSS license, which is used as a further means to
enforce the various restrictions put on customers through the CSS access
control mechanism.

As background information, we have a local mirror of
http://www.dvdcca.org/dvdcca/data/css/,
which provides downloads for many CSS documents including procedures and
parts of the license. Many of the artificial restrictions enforced through
the CSS license can be found there and you can see for yourself how little
CSS has to do with access control or copy protection.
It is unknown whether DVD CCA makes the above files available on purpose or
by mistake. But they have been available at the above address for at least
several weeks now, so we consider them published.

Hacking CSS

The media generally refers to Jon Johansen as the one who cracked CSS, though
this might not be so. In fact, the late DeCSS releases by MoRE ("Masters of
Reverse Engineering") contain a text file that
says quite the contrary: An anonymous german hacker was responsible for the
CSS crack, and MoRE only claims credit for writing DeCSS, the software. Jon
Johanson said the same again in a recent interview
with LinuxWorld.
MoRE also mention Derek Fawcus, who used to have a site with
a cryptoanalysis of CSS at http://www.eyrie.demon.co.uk/css/, though that
site has been down for a long time now.
Frank A. Stevenson had his cryptoanalysis of CSS online at
crypto.gq.nu for a much longer time. The
site still contains a link to it, and in case that ever vanishes, I have
also a local copy.
The links section shows clearly
that CSS source code was posted anonymously to the LiVid mailing list on
october 25th, 1999. Stevenson posted his first attack on the cipher two days
later.
MoRE claim that they had working CSS decryption
code in the middle of september, 1999.
DeCSS, the proof-of-concept software that includes the CSS decryption code,
was released in later october, 1999. MoRE also claims that another group,
Drink or Die (DoD) also had a working decryption tool. That brings the total
count of independent groups breaking the CSS encryption to three.

DeCSS

The software was released in the final days of october, 1999. It got
considerable media attention during the first days of november, 1999.
DeCSS is a very simple windows tool that allows decryption of a CSS
encrypted movie DVD and the copying of all or selected files from it to the
harddisk.
It should be mentioned (again), that
DVD rippers had been
available for a long time already. For some reason, this fact did not get
much media attention, which might be the reason many journalists saw DeCSS
as the "first DVD piracy tool". The main difference between the "1st generation"
rippers and tools like DeCSS and DoD Speed Ripper are that the older rippers
do not decrypt the DVD at all. Instead, they let a DVD player do the decryption
and hook themselves into the video or other suitable drivers, copying the
data stream after decryption. The "2nd generation" software do actual
decryption.
While this might be used for piracy in theory, it leaves you with a
large volume of raw data in practice. A typical movie DVD contains 4 to 6
individual .vob files of 1 GB size each (the last file may be shorter) plus
whatever special features might be on the DVD. The total data volume of a
typical movie DVD is between 7 and 9 GB of data. You can't burn this to CD,
since a CD only holds 650 MB of data - the 1 GB .vob files don't fit. If you
keep it on your harddisk, then said harddisk will quickly fill up. An 18 GB
drive can hold two DVD movies, but costs considerably more than original
copies of those would cost. The same holds true for all other media that can
store this amount of data, including writeable-DVDs.
At this point in time, the only people for whom DVD piracy is profitable are
the professional pirates who own expensive equipment and couldn't care less
for any encryption, since they do bitwise copies anyways, which means that
their pirate copies are precise duplicates of the originals, including the
CSS encryption. The DVD player will notice no difference between such a copy
and the original version. CSS can not stop this kind of piracy.personal note

Worse yet, this kind of piracy has been around
since 1998
- long before DeCSS was ever written.

It is interesting that Jim Cardwell (Warner Home Video)
completely agrees
with most of the points made above. The only thing missing from his thoughts
is the conclusion from his "There's no real economic incentive for anyone to
hack this product" to the reason why it was done nevertheless.
More support for our arguments is coming from other industry players. The
Israel-based company anti-piracy technology company TTR, for example, has
published a whitepaper about CSS
containing very much the same arguments.
Both the DVD CCA and the MPAA also can hardly claim ignorance to the fact that
DVD piracy was a serious problem long before DeCSS. Why they still blaim DeCSS
to "enable piracy" is beyond me.

Some final remarks about the legality of reverse-engineering: Norway does have
a law that explicitly allows reverse-engineering and also states that this
right can not be taken away by contract or license. For those of you
who speak norwegian, the law can be found
here.
For those of you who don't, here is a translation
someone on the cypherpunks mailing list made.
For Germany, a similiar law
allows reverse-engineering to create interoperatibility. I also now have
a translation of this, though it has not been
done by a legal expert, so some terms may be slightly incorrect.

Moreover, it is well possible that the whole DVD CCA licensing scheme violates
the European Union treaty, specifically article 81
and article 82.

For the United States, here is information on why the DVD CCA is not sueing,
and can not possibly sue, under copyright law. It also follows that the MPAA's
case is weak at best, unless they can prove actual copyright infringement (e.g.
DVD copying) by the defendants:http://www.softwareprotection.com/patent.html
quotes: "...in the United States, software that affects a physical process
may be patentable. If the software preempts a mathematical algorithm, however,
it is not patentable." - this is why CSS was not and probably cannot be
patented.http://www.softwareprotection.com/copyright.html
quotes: "Generally, copyright laws protect the form of expression of an idea,
but not the idea itself. With respect to software, this typically means that
the computer program, in both human-readable and machine-executable form,
and the related manuals are eligible for copyright protection, but the
methods and algorithms within a program are not protected expression." -
which means that a specific computer program (e.g. Xing DVD player) can be
protected by copyright, but what it does (e.g. decrypt and play DVDs) can not.

Appendix: Software

You can download the following files from here. However, my FTP server has
a limit of 10 anonymous users, so please consider using a mirror site. Lists
of mirror sites are available at: